Vulnerability Description
An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection").
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Vsphere | <= 2.16 |
Related Weaknesses (CWE)
References
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745Vendor Advisory
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745Vendor Advisory
FAQ
What is CVE-2018-1000152?
CVE-2018-1000152 is a vulnerability with a CVSS score of 6.3 (MEDIUM). An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapsho...
How severe is CVE-2018-1000152?
CVE-2018-1000152 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000152?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Vsphere.